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(54) Efficient authentication with key update 

(57) A more efficient method for performing authen- 
tication is nrovided by using an a uthentica tion Challenge 
transmitted to a terminal to provide the terminal with the 
infOQTiation 10 calCUlHm authentication and cipher key 
v^luesT^ a'ieit Uji M bHp^ i ^^iwtommunication Is not re- 
quired to provide the terminal w ith key values. A viisiting 
authentication center obta ins a random value H^, an au- 
the r\tication key value a nd a cipher key value K^ f rom 
a home authentication center. The visiting authentica- 



tion center then transmits the random number Rj t o the 
t erminal to update th e terminal's authentication key and 
cipher key values, ahd 10 CHMfldnge ins IdnVlin^l ^s part 
est Jin auth erUKJahOrt proces^. Iliu leiiiiiMul uae^ R^-^o 
calculate the authentication key value and the cipher 
key value Kq, and to respond to the visiting authentica- 
tion center's challenge. In addition, the authenficatbn 
key value is used to verify the visiting network's re- 
sponse to the terminal's authenticatbn challenge to the 
network. 
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Description 

Background of the Invention 
Field of the Invention 

[0001] The present invention relates to communica- 
tions; more specifically, the authentication of communi- 
cating parties in wireless communication systems. 

Description of the Related Art 
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^^ij^ l[0002] FIG. 1 illustrates a base station 10, its associ- 
lated cell 12 and mobile 14 within cell 12. When mobile 
114 first registers or attempts communications with base '5 
/ station 10, base station 10 authenticates or verifies the 
I mobile's identity before allowing the mobile access to 
A the communication netw ork. When mobile 14 is in a net- ' 
work other than its home netw ork^ it jg rafpyc ed to as 
beinc^ in a visiting netwo rk. The home network is the net- 20 
WQrk controlled by the sen^ice prov ider that has corn 
tracted wrth the mobile terminal's owner 10 provide wire - 
iftgj^ ff ^munication sen^ices. If the mobile is operating 
in a visiting communication networ k, t he authenlicatiorT 
of the mobile by base station 10 will involve communi- 25 
catinq with authentication c enter 16 of the mobile's 
home network. In the example of FIG. 1, mobile 14 is in 
a visiting network. As a result, the authentication of mo- 
bi lfl. 14 involves communicat ing with authentication^ 
center 16 of th e mo bile's home netwo rk. When mobile 30 
1 ^ attompTs \o access ine visitor network, base station 
1 0 communicate s with authentication center 18 of the 
isitinq communication network. Authentication center 
18 determines from a mobi le or terminal kientifi er. such 
as the telephone number of mobile 1 4, t hat mobile 1 4 is 35 
r egistered with a nfltwnrk that uses home authentication 
center 16. Vi sitinff au then ticatio n center 18 then com- 
'nhuntCSfes w ith home auinemication dMer 1 b over a 
network such as IS 41 signaling natwprk^ . Home au- 
th entication center 16 then accesses a home k)cation ^ 
r egister 22 which has a registration entry f or mobile 14 . 
Ho gpe location register 22 may be associated with the 
te rminal or mobiiem aajflBntifier such as the mobile's 
telephon e numb er. The infomn ation contained in th e 
h ome location reo'istfer is used io generate encrypt ion 45 
k eys and other information that is then sup plied to visitor 
tocation register 24 of visitor authentication center 18. 
I ne in ^prmaiton rrom visitor locaticyi register 2 4 is then 
u sed to sup pl y hase siaiinn iu withnntormatinn that is 
t ransmitted to mobile 1 4 so that mobile 1 4 can respond so 
a nd thereby be a uth enticated as a mobile that is entitled 
t ofeceive communication serv ices. 
[0003] FIG. 2 illustrates the authentication procedure 
thgf in inpf' ii 1 '^^M m'irHf^'r'r networks. In this case, both 
the mobile and home location register contain a key Kj. SS 



RAND, SRES, and Kq. The home authentication center 
uses the value Kj tromlhe home location register asso- 
elated with the mobile t o generate the value s SRES and 
Kq. The value SRES is calculate d l^x; MRirt^ an nryp|^- " 
gragnio funotion Itncwn nic A3 ^Mi tb^ajandorrwi umber 
^AND as an input and the value IC as a key input. In a 
si milar fashion, the cipher key K<^ is calculated by using 
an cryptographic function A8 with RAND as an input and~ 
t he^Viih »>KjiM Fi III V iii|iiil Thes e values are then trans- 
fe rred to the visitor location r egiste r of the visitincj au- 
thentication cen ter. The ^isiTin(^~auTnentic ation center 
t hen challenges the mobile by t fan.«imitiin n"m6 y ahdbm 
number RAND to th e mobile. T he mobile then calculate s 
the values SRES and in the same fashion as calcu- 
lated by the home authentication center. T he mobile 
th an transmits the v al ue SRES to the visiting authenti- 
cation center where ^e visning authentication center 
compares the received SRES from the mobile with the 
SRES received from the home authentication center. If 
the values match, tip mo bile is albwed access to the 
Vfsitinn network If f u i lliei c^l l i ril u ri M I Uflij UB[W66ri the ^ 
mobile and visiting network are to be encrypted, they 
are encrypted using the A5 cryptographic function with 
the message to be encrypted as an input and with the 
key input equal to the value Kc- The cryptographic func- 
tions A3. A5 and A8 are well known in the art and are 
recommended by the GSM standard. In the GSM sys- 
tem, this authentication process, including the commu- 
nication with the home authentication center, is carried 
out each time the mobile enters into a new call with the 
visiting network. 

[0004] FIGS. 3a and 3b illustrate the'authentication 
process used for an IS41 compliant network. Examples 
of IS41 compliant networks are networks that use 
AMPS. TDMA or CDMA protocols. In this system, both 
thA mnhilA ^pri honne location Ye^i.Qt a r contain a secret 
%/oi..^ ^n"f^ Aw-cv When the mobile requests access 
to a visiting networ k, the visiting n ^twi^^fk ai rtkonlir^JTinn 
center reouest s data from the h ome authentication cent- 
er. Before the actual authenticat ion process can start, a 

key update is pnrfnmnnri hy prniriHinQ ^r^HjUy 

and ^jgJiQr '^=*^'^n r^H'^^^ er with keys that wil l be used 
w ith encryption a lgorithms for authentication and coit^--" 
m unication. ^ The h6rVI5 lOCatiOrt r'^g lslei' felSSOCiaifed With 
the mobile is located usin g an iderillfiyi buuh aij the mo- 
bile's Iel5ph0fte numoer ana ine AkhY value stored in 



^me locanon regist er Is used to p rnriiicA th<^ Hata- 
that will oe iran smtneo to tne visitor location regist er. 
T E7ging« CMIculaled are the SSDA ( Shared Secret Da> 
Ja A) and SS DB (Sh ar ed Secret D ata B) values. These 
v alues are calcuiaiea py penorrninoTthe CAV E algorithm 
using a random number Rq as an input and the value 
AKEV^arrhe key l n"put. The CAVE algorithm is welL 
known in the art and is specifiefi in mt> TtorniardT 



When the mobile requests access lo the VlSlling r^3l- 
work, the vi.«gitiny^ g^i ithentication center contacts thB_j 
home authenticatbn center to receive the variables 



The home authentication center then transfers the val- 
ues Rg, SSDA a nd SSDB tol h o v i aite r lei&nt ion register 
of the visiting network Tha visjtfng natwork then up- 
dates the shared«ecrei oata (SSUAand SSDB) that will 
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be used by the mobile by transmitting Rs to the mobile. 
The mobile then calculates the SSDA and SSDB in the 
same fashion as calculated by the home authentication 
center. No w that the mobile and visitor locat ion register 
both contain the SSDA apd fiR DR values, the authenti- 
cation proj^gep-cnay take place. 
[(XK(Sr~^ \Q^Q)9\\ \ \i^ Tates how a nnobile is authenticat- 
ed within a visiting network after both the mobile and 
visiting location register have received the ke ys SSDA 
and SSDB. The visiting nrtt^yntlCf^ ttion centeft^ailen g- 
es the mobile bv send i ng a random numbff RJ to the 
m obile. At th is poin{ bq th thP "^^^"^ ^^'^ %n^i»i>>^. nh^'^- 
tication center rfllrnlate fhA valufl ^[iTHR where AU- 
THq i.c; ftf^nal tn thQ niitput of the CAVE aloorfthm using 
t he random number R^ | as a n I nput and the SSDA value 
^ as the key input. The mobile then transmits the calcu- 
" telfed vaiQgTOTHR to the visiting authentication cente r 
The visitina authentication center compares its calculat- 
ed value of AUTHR ar id the value received from the mo- 
^biifijf the values matc h, th e mobile Is authenticated and 
it is given acnef^s to th e visiting network . In addition, both 
t he mobile and the visiting authentication center c alcu- 
late the value of cipher key where th e value^K^Js ^, 
equ al to the output of the CAVE algofflhm using the va l- 
QgTTN as^n input and the value SSDB as the key input. ^ 
At this point, communications between the mobile ^ 
visiting network are permitted and may beencrypted us - 
ing an cryptographic function yyhftrP ^'^^ tnpiitQ ayo tho 
message to be en crypted and th e key Kq . The crypto- 
qraphln funrTinns aro s peclfifid CDMA and TDMA sy s- 
tems by their respective standards. It should be n<Sed 

ttw^t iirith rofja rH [ fi41 . commu ninati^g hAtwoen the 

visiting aut hentication cent er and the home authentk:a- 
tkxi center are only carried ou t each time the mobile reg- 
isters with thejysiting^etwork as opposed to each time 
a call is madalothe'mobile. v 
[0006] The methods discussed above' illustrate a way 
for verifying that the mobile is authorized to have access 
to the network, but they do not deal with the mobile ver- 
ifying that it is being asked to identify itself by a legiti- 
mate network. FIG. 4 illustrates a proposal for an im- 
provement to the IS41 standard that allows for mutual 
authentication between a visiting network and a mobile. 
FIG. 4 illustrates the process of mutual authentication 
once both the mobile and visiting kx:ation register have 

received the values RjQnA and .QRHR was discussed 
above with regard to FIG. 3a. The visiting network chal- 
leaig gSjne mobile by transmit ting thft r andofp number 

Rn- Th e^obile then responds by performing a calcula- 
"ti oglo obtain the output of an cryptograp hic function F^ 
us^g th e values Rm and R^ as inputs and thfl vaiUS bS- 
DA as a Kevjnout. in this case, tfle R^i is the same value 
th ^was transmitted by the visiting network an d the val- 
ue Rjgi is a random number calculated by the mobil e. In 
S dition 16 iranswinihg the output of this crypto graph ic 
function, the value K^^ lb dibu liaiisntiUuiJ Hi Unencrypted 
form to the ^isliiny MOlwujk. T|iu wihiting network cateu- 
lates the output of the F^ cryptographic function using 



the values R^g and the unencrypted form of Rj,^ as inputs 

tothe H^6agBgi..l|J.<iL 1 1" i'i W?ilh iUt' value SSDA as 

a key inpu t. This output value is compared to the value 
received from the mobile, and if they match, the mobile 
s is verified or authenticated. The visiting network is then 
authenticated or verified by the mobile by responding to 
the challenge supplied by the mobile in the form of value 
R^. The visiting authentk:atk>n center then transmits the 

^ output of the cryptographic functton F^ using the value 

10 as an input and the value SSDA as a key Input. The 
mobile then performs the same calculation and com- 
pares the value It received from the visiting network with 
the value it obtained from the output of cryptographic 
function F^ using key value SSDA and value If the 

^ T5 values match, the mobile considers the network authen- 
ticated or verified and continues to communicate with 
the network. Both the visiting authentication center and 
the mobile calculate the value for cipher key Kq by ob- 
taining the output of cryptographic f unctkan F^. using the 

20 values R,^ and R|i^ as inputs and the value SSDB as a 
key input. At this point, the mobile and visiting network 
can communicate; however, if encrypted communica- 
tions are desired, the messages are encrypted using the 
encryption algorithm F^ with the message to be enciypt- 

25 ed as an input and the value as a key input. Crypto- 
graphic functions F^ F^, and F^ may be hash functions 
or a one cryptographic functbn such as SHA-1, and 
function F^ may be a cryptographic function such as 
DES. Hash functions, one way cryptographic functions 

30 such as SHA-1 and cryptographic functions such as 
DES are well known in the art. 
[0007] The proposed mutual authentication process 
suffers from inefficiency in that it requires that both the 
mobile and the visiting location register have the values 

3S SSDA and SSDB before the authentication process may 
start. As a result, at least two sets of communications 
are required between the mobile and the visiting authen- 
ticatbn center. The first set of communications provide 
the mobile with informatbn used to calculate values SS- 

40 DA and SSDB. The second set of communicatbns are 
used to perform the mutual authentk:ation. 

Summary of the Invention 

4S ipooq The present Invention provkies a more efficient 
method for perfonning authentication by using an au- 
thentication challenge transmitted to a terminal to pro- 
vide the terminal with the information to calculate au- 
thentication and cipher key values. As a result, a sepa- 

so rate communication is not required to provide the termi- 
nal with key values, and the inefficiency of the two sets 
of communications is eliminated. A visiting authentica- 
tion center obtains a random value R^, an authentication 
key value K;^ and a cipher key value Kq from a home 

ss authentication center. The visiting authentication center 
then transmits the random number R-p to the tenninal to 
update the terminal's authentication key and cipher key 
values, and to challenge the tenminal as part of an au- 
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thentication process. The terminal uses R|- to calculate 
th e quthentir^ tion key value and the cipher key value 
Kq, and to respond to the visiting authentication center's 
^allenqQ , In a ddition, the authentication key value i s 
use dto verify the visiting net work's response to ine ler- 
minal 's authe ntication challengg 10 the network. 

Brief Description of the Drawings 

[0009] 

FIG. 1 illustrates the communication between amp- 
bile, visiting network, and home network; 
FIG. 2 illustrates the authentk:atk>n process for a 
GSM network; 

FIGS. 3a and 3b illustrate the key update and au- 
thenticatbn process for an IS41 compliant network; 
FIG. 4 lllustrdtes a proposed mutual authentication 
method; and 

FIG. 5 Illustrates a method for performing key up- 
dates and mutual authenticatbn. 

Detailed Description 

[0010] FIGi.5 JtLustrates a method where a single ran - 
dom value transmitted to a mobile or statlQ Hrirv trmfilnral 
usftd to b oth update the authentica tion and niphftf kpy 
v g | iifl.q nf fhft tflrminai and to provide an authentication 
c hallenj^e to theJ erminal. Mobile or stationary terminal 
. 7P and homelQcation reolsterJTg share ke v value ~ 
X ^en mo bile terminal 70 requests access to a visiting 
network, the visiting authentication center contacts the 
home authentication center to obtain the random value 
Rt, authentcation key value and cipher key value 
Kq. In response to this request, the home authentbation 
center accesses the home location register 72 associ- 
ated with mobile terminal 7 0 using an idftn^ifi^ r fv^h a? 
a telephone number prpvided by the mobil e terminal via 
th^a vi ff iti n9 authentication cente r. The home authentba- 
t jon cen ter then calculates authenti ca tion key value K ^^ 
by taking^ne output of cryptograph iclunction F'^ using 
fa ntjOfT^ i ' iuin b e i Y\j as ail i r jpul a iU ins vaiueK j as a 
key input. AOOitionairy, the home authentication center 
cal culates the cipher kev value Kr^ u^ ino the output of 
cryptographb function F* ^ using the value Rt as an input 
and the VaiU6 Kj as a k6VTnput. Once these values are 



"calcueT eo, me home authenlicatkjn center communi- 
ca tes The values Ry, K^, and Kq to the visiting autheh^ 
tication cente r The visiting authentication center then 
sto res the values Ka, Kp andJR r in th e visiting Ipcation 
' rec^ister asfi nr-ia't^rl with mnhiln termina'l 70 The vifiitinn 

autl ientication center then communicates the value Rj 
to mobile temnjnal 70 as hnth an authent ication chaF" 
ienge and as a value that will be used to update the au- 
thentication and cipher key v alues used by the mobile 
t erminal. Jhe mobile terminal uses the value F^- re^ 
reived from the visiting authenli(iailOH center to calcu- 
late the authentk:ation Key value and the cipher key 



value Kq in t bg same fashion as the v alues were cabu- 
l ated i^y The home authenticatlofr Cenf er. I fie mobile ter- 
minal then ^sas the authenticatio n key value to re- 
S Bpnd to the visiting pii ^ftntir.a tion centers authentica- 
ti oDchallenge . T he m^ile temiinal j gtgmtnies the out- 
put of cryptographic functbn F^ usingthe values Rj and 



_Rm as inputs and the authentication ke y value Kp^ as a 
key input; however, it is also possible to use the value 
r Rr idll ibr than both Rr arid R,^ as inputs. The output of 
10 jjne cry ptopraph in fu nction F^ and the value R^^ are com- 
municated to the visiting authentication cente r: however 
^S ^the value R^ ^ ^ may not be transmitted if w as not used 
^^as an input for cryptographb function F and if authen- 
tication of the network is not required. The value R|^ is 
ar an^nm vaiiip nhn^ffp hy thft mnhHr tTTmnlni l The vis- 

itjpq aiithft ntication C Qntpr akn r.alrijlatft.<t the value Of 
the out pu t of funct ion F^ with inputs Rj an d R|^, a nd key 
Jnout value s o that the resuri can oe compared with 
the value commun k:ated by the nrobile terminal. If the 
values match, the mobile terminal is then authenticated 
or verified to the visiting network. TT ^p value R^^ pr ovided 
hyihfl ni"^i)^ t erminal is usfed as an aiithenticalion cj icll^ ^^ 
Ignge to the visitin g network by m obile 70. T he visiting^ 
rietwork calculates the O litput ol functiorTF^ Tfelliu 11 le—^ ^ 
value i^ as an input and the value Ka as a key input. 
This output value is then communi cated to t he mobile 
ter minal where the terminal Indepen dently determines 
Jbfi niitpiit of fiinntifrn F^ "^ith th^ ^alue R» as an inpuf* 
and the value as a key input . If the output values 
matcn, me mobile terminal then verifies or authenticates 



tiiB visiting network. Once both the mobile Terminal ana 
vj ^itino network have autnenticaiea or verineo eacn olFv^ 
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e r^s identities, c omr nunication may contin ue. The com- 
. miinir-g^^inn may pass using unencrypted messages or 
35 encrypted messag es. If encr ypted message s ara ii.qaH ^ 
th Q^ messages are encrypted by using the out put of cryp- 
tographic i uncWq^^ wit h the messac[e as an input and" 
tl iy cipher ya iue Wnks akey input. This process may be 
carried out each-time a call is attempted between the 
mobile terminal and visiting network. It is also possible 
to contact the home authentication center each time the 
mobile registers with a visiting network rather than each 
time a call is attempted, and to use the same values of 
Kai Kq and R-p as long as the mobile remains registered 
with the visiting network. Cryptographic functions F^ , F^, 
F^ and F^ may be hash functions or a one cryptographic 
function such as SHA-1 , and function F^ may be a cryp- 
tographic function such as DES. Hash functions, one 
way cryptographic functions such as SHA-1 and cryp- 
tographic functions such as DES are well known in the 
art. 

[001 1] It is also possible to carry out the same proce- 
dure when the mobile terminal is in the home network. 
In this case, the home authentication center, rather than 
the visiting authenticatbn center, communicates with 
the mobile terminal. In a wireless network, the commu- 
nications between the terminal and authentication cent- 
er pass through a wireless base stat»n. 
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Claims 

1 . An authentication method, comprising the steps of: 

transmitting a first value to a terminal; s 
receiving a response from the terminal having 
at least a first response value, where the first 
response value is at least part of an output of a 
first crypt ographic function using at least a first 
TSft rtion of the first va lue as an input and a first _ io 
kgv value as a kev inp ut, the firsf k^y valuft he^ 
ing at least a portion of an output of a second 
crvptographic f unctfon using at least a second 
^oftion of the first value as an input and a sec- 
on d^l^ey value as a kev input: and IS 
vQrifyinfl the first response value is equal to an 
e xpected first response va lue. 

2. The method of claim 1 , wherein the response has 

a second response value and further comp rising the 20 
step of transmitting a second value to the terminal, 
where the second value is at least a portion of an 
output of a third cryptographic function using at 
least a portbn of the second response value as an 
input and a third key value as a key input. 

3. An authentication method, comprising the steps of: 

transmitting a first value to a terminal; 
receiving a response from the terminal having 30 
at least a first response value and a second re- 
sponse value, where the first response value is 
at least part of an output of a first cryptographic 
function using at least a first portion of the first 
value and at least a first portion of the second 3S 
response value as inputs and a first key value 
as a key input, the first key value being at least 
a portion of an output of a second cryptographic 
function using at least a second portbn of the 
first value as an Input and a second key value 40 
as a key input; and 

verifying that the first response value is equal 
to an expected first response value. 

4. The method of claim 1 or claim 3, wherein the sec- 45 
ond key value is associated with the terminal. 

5. The method of claim 3, further comprising the step 
of transmitting a second value to the terminal, 
where the second value is at least a portbn of an so 
output of a third cryptographic function using at 
least a second portion of the second response value 

as an input and a third key value as a key input. 

6. An authenticatbn method, comprising the steps of: ss 

receiving a first value; and 

transmitting a response having at least a first 



response value, where the first response value 
is at least part of an output of a first crypto- 
graphic f unctbn using at least a first portion of 
the first value as an input and a first key value 
as a key input, the first key value being at least 
a portion of an output of a second cryptographic 
function using at least a second portion of the 
first value as an input and a second key value 
as a key input. 

7. The method of claim 6, wherein the response has 
a second response value and further comprising the 
step of receiving a second value, where the second 
value is at least a portion of an output of a third cryp- 
tographic function using at least a portion of the sec- 
ond response value as an input and a third key val- 
ue as a key input. 

8. The method of claim 7, further comprising the step 
of verifying the second value is equal to an expected 
second value. 

9. An authentbation method, comprising the steps of: 

receiving a first value; and 
transmitting a response having at least a first 
response value and a second response value, 
where the first response value is at least part 
of an output of a first cryptographic function us- 
ing at least a first portion of the first value and 
at least a first portion of the second response 
value as inputs and a first key value as a key 
input, the first key value being at least a portion 
of an output of a second cryptographic function 
using at least a second portion of the first value 
as an input and a second key value as a key 
input. 

10. The method of any of claims 1 ,3,6 or 9 wherein the 
first and second cryptographic functbns are the 
same. 

11. The method of any of claims 1 ,3,6 or 9 wherein the 
first and second portions of the first value are the 
same. 

12. The method of claim 9, further comprising the step 
of receiving a second value, where the second val- 
ue is at least a portion of an output of a third cryp- 
tographic function using at least a portbn of the sec- 
ond response value as an input and a third key val- 
ue as a key input. 

13. The method of claim 1 2. further comprising the step 
of verifying the second value is equal to an expected 
second value. 
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